Highlighted
Contributor
Contributor

"Unable to query vSphere health information" and "Unable to query vSAN health information" after certificate replacement - VCSA 6.7U2

Jump to solution

I attempted to replace my machine cert on my VCSA server.  After a few attempts I gave up and performed a full certificate reset using the `/usr/lib/vmware-vmca/bin/certificate-manager` tool.

Now I'm seeing the following errors in the UI when looking at any Health or vSAN information.   Anyone know how to resolve this?  I upgraded to 6.7.0.40000 and that didn't help.

Screen Shot 2019-10-23 at 11.14.28 AM.png

Screen Shot 2019-10-23 at 11.14.43 AM.png

Screen Shot 2019-10-23 at 11.14.54 AM.png

in my /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log I see lots of:

Caused by: com.vmware.vsphere.client.vsandp.core.sessionmanager.common.NotAccessibleException: com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint doesn't match

at com.vmware.vsphere.client.vsandp.core.sessionmanager.common.PbmClient.getConnection(PbmClient.java:70)

at com.vmware.vsphere.client.vsan.base.impl.PbmDataProvider.getProfileIds(PbmDataProvider.java:181)

at com.vmware.vsphere.client.vsan.base.impl.PbmDataProvider.getStoragePolicies(PbmDataProvider.java:131)

at com.vmware.vsphere.client.vsan.base.impl.PbmDataProvider.getObjectCompatibleStoragePolicies(PbmDataProvider.java:118)

... 119 common frames omitted

Caused by: com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint doesn't match

at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:256)

at com.vmware.vim.vmomi.client.http.impl.HttpExchange.run(HttpExchange.java:56)

at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingBase.executeRunnable(HttpProtocolBindingBase.java:226)

at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingImpl.send(HttpProtocolBindingImpl.java:106)

at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.sendCall(MethodInvocationHandlerImpl.java:629)

...

26 Replies
Highlighted
Contributor
Contributor

Hi Vijay2027, could you please also send me the commands? I have exact the same problem.

Thank you very much.

0 Kudos
Highlighted
Expert
Expert

Please look at the comment from irvingpop_chef

"you were right, it was definitely a complex and not self-fixable issue.  I had a number of services that were running with the wrong certificate.  GSS provided me with a script that fixed them all."

Please contact GSS.

0 Kudos
Highlighted
Contributor
Contributor

Hey, I am also facing the same problem, can you tell me the command they sent you ?

0 Kudos
Highlighted
Enthusiast
Enthusiast

For me, this error is always fixed by just logging out and logging in again... (before, I was always deleting cookies, which also logs me out, but not even that seems necessary).

Latest vCenter 7, super annoying. Also tags are "disappearing" (just not shown), but they're there if I use another PC/browser/delete cookies....

0 Kudos
Highlighted
Contributor
Contributor

Sorry, but I'm kinda new to this.

I have the same issue here after our certs expired and I tried to renew them by myself.

What exactly is GSS and how do I contact them?

Thank you

0 Kudos
Highlighted
VMware Employee
VMware Employee

GSS = Global Support Services

In other words, what most would call "tech support" (although they help with less tech stuff too)

However they are now known as Global Services, and you can contact them via this: Support Contact Options - VMware


Forum Usage Guidelines: https://communities.vmware.com/docs/DOC-12286
VMware Training & Certification blog: http://vmwaretraining.blogspot.com
Highlighted
VMware Employee
VMware Employee

Faced the same issue :

Virgo logs gave :

++++++

Caused by: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

++++++

Fixed the mismatch and the Skyline health was fine.

0 Kudos